Internet Safety Guide

The following draft was produced in response to a new requirement under Dutch regulation for all ISPs to provide Internet safety guidance to its customers.

While Eweka does not provide Internet connectivity to consumers, EC Directive 2002/58/EC (upon which the OPTA regulation is based) is sufficiently broad in defining an ISP that Eweka may qualify, and thus likely needs to be registered as such with OPTA. For a quick summary, please see the advisory "Dutch Telecom Watchdog Issues New Rules for Internet Safety; ISPs Will Be More Closely Scrutinized" from Greenberg Traurig (GTAlert_Dutch_Internet_Safety_Rules_Feb2009.pdf).

Introduction

Computing in the Internet age is generally safe when following common sense steps to protect oneself. In this Guide you will find advice on the following topics:

Malicious Software

What is it? Malicious software is one of any number of software or applications that are designed to damage, disrupt, or otherwise negatively impact a computer system.

What kinds of malicious software exist? There are several kinds of malicious software (or "malware") that you should be concerned about. These include:

Virus: Hidden, self-replicating computer software that propagates by infecting - i.e., inserting a copy of itself into and becoming part of - another program. A virus cannot run by itself; it requires that its host program be run to make the virus active.

Trojan Horse: A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.

Bots and Zombies: A type of malware that combines virus and Trojan horse qualities. Bots and zombies are malicious software that is used to take control of your computer system, joining it to a network of other compromised computer systems, to be used for malicious enterprises (e.g. spam, network attacks). Bots are generally part of complex networks of infected and compromised computer systems that are often controlled by groups associated with organized crime or illicit government activity.

Spyware: A type of malware that is designed to capture information from your computer system, such as banking information, to be sent to unauthorized third parties. Many web sites deploy some form of spyware, oftentimes without being thought negative, such as to track web browsing behavior, preferences, and settings. However, these programs can also leak information that undermines your privacy.

Adware: Malicious software that seeks to insert advertisements into your normal computer use, oftentimes outside the expected presence of advertisements. For example, some adware will open a new browser window displaying an advertisement every time an Internet address is entered, but without that advertisement originating at the web site you are visiting.

Sniffers: A sniffer is a piece of software designed to collect all information transmitted by your computer over your network. Sniffers can be used by malicious software to collect username, password, banking information, and any other information that is not properly protected.

Key Loggers: Similar to a sniffer, a key logger is designed to capture information from your computer system. However, instead of capturing information that is transmitted on your network, a key logger instead seeks to capture every character entered on your keyboard. In this way, a key logger cannot be defeated by standard web technology like encryption (SSL).

How do I protect myself from malicious software?

Visit Known Good Sites: As a good practice, you should make every effort to only visit web sites that are known to be good. Google can help you find known good sites by searching for the site you're seeking. They will warn you if a site is suspected of being bad.

Do Not Open Spam or Unknown Attachments: One of the main sources of malware infections is from infected email. Most major ISPs try to block malware in email attachments, but they are not always successful. New threats emerge on a daily basis (see the SANS Internet Storm Center for more information). If you receive an email that is unexpected and not from a sender you recognize, but extremely careful in opening it, and do not open any attachments. If someone you know sends you an attachment that you weren't expecting, confirm that they intentionally sent it to you before opening it.

Install Antivirus Software: There are many commercial and free antivirus products on the market that can scan your computer for viruses and take action when a virus is found. It is highly recommended that you install such a program on your computer, and that you maintain it on a regular basis. For a list of certified products, see ICSA Labs. Free antivirus products include Avast, AVG, Clam AV, and ClamAV for Windows.

Secure Your Home Network/Firewalls: Most modern operating systems - whether it be Windows, Mac OS X, or a Linux variant - come with a built-in firewall. However, relying just on an operating system firewall is not a best practice. Instead, it is highly recommended that a home router/firewall be setup on your home network to protect against direct attacks from the Internet. Most modern malware tries to automatically infect other computers by actively looking for unprotected computers on the Internet. A firewall will make it more difficult for malware to directly connect to your computer, reducing the likelihood that your computer will get infected from direct network-based attacks. Most major retail electronics stores carry a variety of hardware firewall devices, including products by Linksys (Cisco), SMC Networks, NETGEAR, and D-Link.

Secure Your Wireless Network: Wireless networks are very common today, but are also commonly attacked. Insufficiently protected wireless routers can be used by other end-users, often without permission. Criminal acts or otherwise unwanted activities could possibly be performed with the use of the connection, and then subsequently attributed to you. Insufficient protection may also allow other end-users to access your computer through the shared wireless network. It is highly recommended that you setup minimum security precautions when configuring your wireless access point so that the aforementioned risks can be mitigated. Note that many home routers and firewalls now include a wireless gateway to provide your home network with wireless access. It is recommended that you configure WPA2 or WPA encryption (do not use WEP unless you have no other option - WEP can be easily broken) along with a strong passphrase for your network. In addition to using encryption, it is also highly recommended that you make use of "MAC filtering" to protect your wireless network. Each wireless network card has a unique "MAC address" that can be entered in the wireless gateway's "MAC filter" to limit access to only those devices explicitly specified. Consult the installation guide or manual provided by your manufacturer for more information on properly securing your wireless network.

Change Default Passwords: In all cases - whether it be your router/firewall, your wireless network's name (SSID), or accounts for your operating system (OS), it is imperative that default passwords be changed. The presence of default passwords is a common method hackers use to compromise computer systems.

Update Your Computer Operating System: One of the top reasons that a computer will become infected with malicious software is because the computer operating system (e.g. Windows, OS X) has not been updated (or "patched") on a regular basis. Microsoft issues new patches on the 2nd Tuesday of every month. Apple issues new patches on a regular, non-scheduled basis. Patches are generally free and highly advised to keep current. For Microsoft products, see http://www.windowsupdate.com/. For Apple, click on the apple in the upper left corner and choose "Software Update..." Microsoft Windows supports automatically downloading and installing patches without further involvement by the user. More information on configuring automatic updates in Windows can be found at http://www.microsoft.com/windows/downloads/windowsupdate/automaticupdate.mspx.

Scan For Spyware and Adware: Make use of a free or commercial product to scan and protect against spyware and adware that can lead to the compromise of your personal information and to the degradation of your computer's performance. Recommended products include Ad-Aware, Windows Defender, Spybot Search & Destroy, and SUPERAntiSpyware.

Use Legal Software: The use of official and legal software will protect you from malware possibly incorporated into illegal products and other risks associated with illegal software. This recommendation is not intended to discourage the use of free or open source software (FOSS). However, it is vital to be mindful, in particular, of free Windows-based programs that may be designed as malware-delivery mechanisms.

What do I do if I suspect malicious software on my computer?
If you suspect that you have a malicious software infection on your computer, then it is highly recommended that you attempt to remove that infection with one of the above tools. If you're unable to remove the infection yourself, then please find a local computer service technician to provide detailed assistance.

Botnets

Although already addressed in the "Malicious Software" section, the topic of Botnets deserves additional scrutiny. In the modern area, malicious software has evolved into a profitable enterprise for organized crime. Rather than simply rely on compromising random computers without any control or return on investment, bots have emerged as a special kind of malicious software that gives the creator of the software special remote control over infected hosts. Large networks containing hundreds of thousands of compromised computers have been grown in this decade with the purpose of generating spam, hosting malicious web sites, and for executing large-scale Internet attacks.

The following resources provide detailed explanations of how botnets operate and the threat they represent to Internet safety:

Unsolicited Bulk Messaging ("spam")

What is "spam"? Spam is unsolicited communication, usually sent indiscriminately in bulk through a major communication system, such as email, instant message, USENET, or text message on mobile phones. Most spam contains advertising, sometimes for legitimate products, but more often for false, illegal, or misleading products. Increasingly, there are strong ties between spam and botnets, with most spam being sent by bots, pointing to scam web sites run by bots. Spam contributes to many criminal enterprises, ranging from illicit pornography to illegal pharmaceuticals to identify theft.

What is OPTA doing about spam? OPTA has been a leading opponent to spam since early this decade. OPTA has taken proactive measures to facilitate the report of spam, has actively fined senders of spam, and has taken a strong stance requiring ISPs to better inform consumers of the spam and other Internet threats. OPTA fined a Dutch spammer EUR 75.000 for sending unsolicited electronic messages (see press release here: http://www.itu.int/ituweblogs/treg/OPTA+EUR+75000+Fine+For+Spammer.aspx).

Where should I report spam? OPTA maintains a site, https://www.spamklacht.nl/, for reporting spam. You can also report spam to SpamCop.

What can I do about spam? Any reputable ISP will provide email filtering as a part of their standard offering. However, spam can come in other forms, too. Following the guidance throughout the rest of this Guide will help you avoid becoming a victim of spam and other Internet threats that contribute to the spam problem.

Social Engineering ("phishing")

What is "social engineering"? According to the SANS Glossary of Terms Used in Security and Intrusion Detection (*http://www.sans.org/resources/glossary.php), social engineering is "A euphemism for non-technical or low-technology means - such as lies, impersonation, tricks, bribes, blackmail, and threats - used to attack information systems." Plainly put, social engineering is the attempt to trick you into voluntarily disclosing private information.

What is "phishing"? According to the SANS Glossary of Terms Used in Security and Intrusion Detection (*http://www.sans.org/resources/glossary.php), phishing is "The use of e-mails that appear to originate from a trusted source to trick a user into entering valid credentials at a fake website. Typically the e-mail and the web site looks like they are part of a bank the user is doing business with." Oftentimes, spam emails will send you to a malicious site that looks legitimate for the express purpose of stealing your login information. For example, a phishing message may purport to originate from your bank, directing you to a web site to enter your personal information (login information, government ID, credit card information, etc.) for the purpose of stealing that information.

How can I protect myself?

Avoid clicking links in email messages. If you receive an email purporting to be from a trusted organizations asking you to do something, instead of clicking the link in the email, instead type the known good address of the organization into your browser, or use Google to search for the correct web address.

Use known good contact information. If someone contacts you - whether via email, instant message (IM), phone, or text message (SMS) - asking for personal information, such as your government ID, credit card information, or login information (username and password), then get their employee information and tell them that you will contact them directly via a known good contact number for the organizations.

Do not disclose your password. Reputable organizations should never ask you for your password.

Beware "lost data" scams. Beware any form of communication that alleges that the organization in question has "lost" your personal information - this is oftentimes a scam to steal your personal information.

Use common sense. If the communication seems suspicious, then it probably is!

Identity Theft

What is "identity theft"? Identity theft is a form of fraud wherein a criminal uses your personal identification information (government ID, credit card information, bank account information, etc.) to pose as you to perpetrate a fraudulent transaction. The most common forms of identity theft result in fraudulent purchases of merchandise and opening lines of credit that are not authorized by the victim.

How can I protect myself?

Be vigilant. Vigilance is your first and best line of defense. You must watch records of transactions, your credit history, and any other possible use of your identity to ensure that it is not being abused.

Limit disclosure. Limit the amount of information you publish publicly. Social networking sites are quite popular, but can also result in individuals disclosing too much private information, leading to fraudulent behavior.

Follow the practices outlined in this Guide. Eweka's Internet Safety Guide provides common sense guidance to reduce your vulnerability to various threats.

Use known good contact information for organizations requesting information from you.

Do not disclose your password.

Beware "lost data" scams.

Use common sense.

Be vigilant.

Limit disclosure of personal information.

Follow the practices outlined in this Guide.

Please note that if you use the tools and practices recommended within this Guide, then the risk of getting into contact with unwanted websites, such as websites that are not suitable for children, will also be reduced. However, safe browsing is still ultimately the responsibility of the user, and thus this Guide provides no guarantee against bad things happening online.

Additional Recommended Practices:

Choose strong passwords. It is a good practice to use passwords that are a minimum of 8 characters in length that combine letters, numbers, and special characters (when possible).

Change your password regularly. Passwords should be changed at least once per year, and preferably every 90 days. Changing passwords reduces the risk represented by weak or potentially exposed passwords.

Do not reuse passwords. In order to limit the effect of a compromised password it is recommended that each username have a unique password. If you find it difficult to track all your passwords, then you might look at using a password manager, such as Password Safe, that maintains an encrypted, password-protected database of passwords for you. Under Mac OS X, you may also find the Keychain useful for this purpose.

Secure servers. Servers - particularly those hosting sensitive data - should be properly secured. There are myriad sources of guidance, including the American NSA's Security Configuration Guides, the Bastille Linux project, and the security benchmark tools from The Center for Internet Security.

Beware the long memory of the Internet. If you publish something on the Internet, then you should expect that it will be available forever. This advice is important to respect when it comes to personal information and protecting one's privacy. Social networks and other interactive media can provide fun and exciting ways to interact with others, but we must be mindful of the long-term effect. It is also imperative that you consider the ways that certain types of information could be used against you in the future. For example, while it may be fun to interact with others using technology like a webcam or by sharing digital pictures, it is very easy to make copies of the video stream or the pictures. There are recorded cases where captured webcam videos have been used to blackmail people who didn't think ahead.